Upper Arlington Schools statement on PowerSchool cybersecurity incident

Update: January 31, 2025

 

PowerSchool has worked with Experian to set up a dedicated, toll-free call center to answer any questions associated with these offerings and the incident. All the information regarding the activation of and access to these services will be included in the email sent to you by Experian. Whether or not you receive an email, you may also visit PowerSchool’s website to learn how to activate the offering from Experian, linked here: http://www.powerschool.com/security/sis-incident/notice-of-united-states-data-breach/.

 

Update: January 28, 2025

In the coming days, PowerSchool will begin providing formal legal notice of the cybersecurity incident to current and former students (or their parents / guardians as applicable) and educators whose information was determined to be involved.

A direct email notification will be distributed by Experian on behalf of PowerSchool in the coming weeks to applicable current and former students (or their parents / guardians as applicable) and educators for whom we have sufficient contact information. PowerSchool will also launch a website and distribute a media release to ensure we reach as many involved individuals as possible and provide them with resources to protect their information. Importantly, these notices will include instructions for involved individuals on how to enroll in the credit monitoring and identity protection services that are being offered by PowerSchool.

 

Update: January 23, 2025

Identity Protection and Credit Monitoring Services: PowerSchool has engaged Experian, a trusted credit reporting agency, to offer complimentary identity protection and credit monitoring services to all students and educators whose information from your PowerSchool SIS was involved. This offer is being provided regardless of whether an individual’s Social Security number was exfiltrated.

• Identity Protection: PowerSchool will be offering two years of complimentary identity protection services for all students and educators whose information was involved.
• Credit Monitoring: PowerSchool will also be offering two years of complimentary credit monitoring services for all adult students and educators whose information was involved.

Notifications: Starting in the next few weeks, PowerSchool will be handling notifications to involved individuals and relevant state attorney general offices.

 

Update: January 14, 2025

As indicated in our district communication sent on Friday, January 10, 2025, we are committed to sharing updates from PowerSchool regarding the Cybersecurity Incident. Please bookmark this website, which PowerSchool has created for informational updates and FAQs for each of the impacted user groups.

 

Upper Arlington Schools communication to staff and families — January 10, 2024

This week the district learned that on December 28, 2024, PowerSchool, the provider of our student information system, became aware of a cybersecurity incident.  This incident involved unauthorized access to certain information through one of its customer support portals, PowerSource. Over the following days, PowerSchool’s investigation determined that an unauthorized party from an IP address outside of the United States gained access to certain PowerSchool Student Information System data using a compromised login. The compromised account, which has since been deactivated by PowerSchool, was used to access all production and non-production servers via the PowerSchool API. 

The breach compromised PowerSchool servers across the state of Ohio, the United States and Canada. Upper Arlington servers were a part of this breach. We know that data from the Student and Teacher tables were exported. Upper Arlington does not use all of the fields listed on these two websites. In particular, the district can confirm that it does not use any social security number fields as a matter of practice. There are a small number of individuals whose social security numbers were included due to merged legacy data. Any current or recent student impacted by this has already received individualized communication from the district. 

PowerSchool has engaged the services of CyberSteward, a professional advisor with deep experience in negotiating with perpetrators. With their guidance, PowerSchool has received reasonable assurances and video confirmation from the perpetrator that the data has been deleted and that no additional copies exist. They do not anticipate the data being shared or made public, and they believe it has been deleted without any further replication or dissemination. PowerSchool is reviewing current security practices and implementing further protocols to prevent this type of incident from happening again. Our local host, META, is also reviewing their current network restrictions to prevent similar breaches in the future.

At this time there is no action necessary on your part. As we continue to learn more about PowerSchool’s investigation and response to the incident we will continue to provide updates on our website.